How to test TLS connection and server certificate

uherbst Member, Employee Posts: 114 Solace Employee

If you use TLS to secure your connections (and you should use TLS as often as possible), you sometime have issues connecting to your TLS ports.
Here, I will describe a way to debug that.

Try to connect to a port

You're not sure, if your service / port is enabled or (most probably) if all your firewall rules are in place ?
From the client, try to connect to the server port.
Often telnet is recommended. I don't recommend that, because the handling of telnet is a little bit complicated, especially quitting telnet after connecting. I recommend ncfor that:

$ nc -vz 8883
Connection to 8883 port [tcp/*] succeeded!

-v: Be verbose, output, if connected
-z: Just try to connect and stop, don't send any data

Check TLS server certificate

To see details of the server certificate, use openssl:

[uherbst@umbp ~] $ openssl s_client -connect
depth=2 C = US, O = DigiCert Inc, OU =, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU =, CN = Thawte RSA CA 2018
verify return:1
depth=0 C = CA, ST = Ontario, L = Kanata, O = Solace Corporation, CN = *
verify return:1
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*
   i:/C=US/O=DigiCert Inc/ RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/ RSA CA 2018
   i:/C=US/O=DigiCert Inc/ Global Root CA
Server certificate
subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*
issuer=/C=US/O=DigiCert Inc/ RSA CA 2018
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3392 bytes and written 334 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Master-Key: 59FE52516A3EA4A63FAA1EAB8045EE8A0F5813D6F9D83E6A02931BFFEFCA5C382D2C3670655169B097F104F9D8F75577
    Start Time: 1607409440
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

What can we see here:
1. Common name of your server:
subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*
2. certificate chain for your certificate:

Certificate chain
 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*
   i:/C=US/O=DigiCert Inc/ RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/ RSA CA 2018
   i:/C=US/O=DigiCert Inc/ Global Root CA

With this information, you know, that you need the certificates for DigiCert Global Root CA and Thawte RSA CA 2018 to validate your server certificate



  • TomF
    TomF Member, Employee Posts: 400 Solace Employee

    A handy tip, @uherbst !

  • soutchilin
    soutchilin Member Posts: 3


    maybe it is a bit unrelated question... I'm trying to create a session and establish a connection from c# using solclient to a pubsub+. Unfortunately I get an error like this: Session '(c0,s1)_[myVPN]' failed to load trust store: unspecified property 'SESSION_SSL_TRUST_STORE_DIR'

    I have only a default server certificate configuration, basically what was automatically pre-created by Solace PubSub+. What is the directory for that?

    One remark for configuring session properties:

    If I set SSLValidateCertificate to false, then no validation, no error.

    If i set SSLTrustStoreDir="certs", I get "Session '(c0,s1)_[myVPN]' cannot access 'SESSION_SSL_TRUST_STORE_DIR' : 'certs'

    If I set SSLTrustStoreDir = "/" the session is created, but connect fails with Session '(c0,s1)_[myVPN]': The peer certificate is not trusted, rc='unable to get local issuer certificate'




  • TomF
    TomF Member, Employee Posts: 400 Solace Employee

    Hi @soutchilin,

    When you set SSLValidateCertificate to true, you're asking the API to check the server certificate - in other words, to first verify that the server is who they say they are, but next that this is a server you're happy to trust.

    To do this, you have to tell the API which servers you trust. This is done using the trust store, which stores which servers you are happy to trust. You'll need to set up a trust store that trusts the broker, which will be stored in a directory - you can then point SESSION_SSL_TRUST_STORE_DIR to this directory.